NEW HAVEN, Conn. (WTNH) — Connecticut will receive $67,505 as part of a $1.25 million multistate settlement with Carnival Cruise Line after a data breach in 2019, Attorney General William Tong announced Wednesday.

More than 1,200 Connecticut residents were impacted by the breach, which Carnival publicly reported in March of 2020. It included names, addresses, passport numbers, and other personal information, according to Tong’s office.

Breach notifications sent to the attorney general offices said the cruise line first learned of suspicious email activity in May of 2019, Tong’s office said, around 10 months before Carnival reported the breach.

“It’s important that Connecticut residents are notified quickly when their information may be at risk due to a data breach,” Tong said. “This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information. Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or impacted individuals about a breach.”

According to Tong’s office, Carnival has agreed to a series of terms intended to strengthen its email security and breach response practices. These include the following:

  • Implementation and maintenance of breach response and notification plan
  • Email security training requirements for employees, including dedicated phishing exercises
  • Multi-factor authentication for remote email access
  • Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network
  • Consistent with past data breach settlements, undergoing an independent information security assessment

Connecticut co-led the investigation with Florida and Washington and was assisted by numerous other states.